Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3198: Can Centrify centrally manage extended ACL on AIX?

Centrify DirectControl ,  

8 April,16 at 12:29 AM

Applies to: Centrify DirectControl on AIX Platforms

Question:
Normally setting up an extended ACL can be done on a a server using the AIX command acledit command:

# acledit test.sh

"Extended permissions" would need to be enabled for test.sh and then the permit line added underneath:

# acledit test.sh
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
enabled changed from disabled
permit rwx u:johnsmith added



This will allow user johnsmith to have rwx permissions to this file. The aclget displays:
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
enabled
permit rwx u:johnsmith



How can this be setup and managed from a global location via Centrify?

Answer:
The target of acledit is a file - i.e. It is updating the ACL of the named file object and requires the EDITOR environment variable to invoke.

This means it is not user-extend attribute related - but is file related. This is beyond the scope of DirectControl.

However, Group Policies are capable of being pushed out to many machines to run some command/script, but as this one requires EDITOR - meaning interaction with user is needed - there is no way to provide the needed interaction.

It may be possible to work with piped input, but this is an untested concept, and it still needs a way to get different input at different times.

As this is beyond the scope of Centrify - The above are provided as possible suggestions only.

Note:
This is about pure AIX file/access permissions. In all other UNIX systems, Linux, Sun, HP, etc., there is no acledit, it is only in AIX. Everything above can be done with the UNIX command chmod, except the AIX extended attributes. Centrify has never done anything with file permissions or file attributes.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.